[cgmanager-devel] New Defects reported by Coverity Scan for cgmanager
scan-admin at coverity.com
scan-admin at coverity.com
Sat Apr 5 01:26:05 UTC 2014
Hi,
Please find the latest report on new defect(s) introduced to cgmanager found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)
** CID 1195833: Unchecked return value (CHECKED_RETURN)
/fs.c: 175 in save_mount_subsys()
** CID 1195834: Dereference before null check (REVERSE_INULL)
/fs.c: 1084 in get_child_directories()
** CID 1195837: Untrusted loop bound (TAINTED_SCALAR)
/cgmanager-proxy.c: 788 in get_tasks_main()
** CID 1195836: Use of untrusted value (TAINTED_SCALAR)
/cgmanager-proxy.c: 869 in list_children_main()
/cgmanager-proxy.c: 877 in list_children_main()
** CID 1195838: Time of check time of use (TOCTOU)
/fs.c: 401 in create_agent_symlinks()
** CID 1195832: Side effect in assertion (ASSERT_SIDE_EFFECT)
/cgmanager-client.c: 7590 in cgmanager_get_all_sync()
** CID 1195831: Side effect in assertion (ASSERT_SIDE_EFFECT)
/cgmanager-client.c: 7415 in cgmanager_org_linuxcontainers_cgmanager0_0_get_all_notify()
** CID 1195835: String not null terminated (STRING_NULL)
/cgmanager-proxy.c: 880 in list_children_main()
________________________________________________________________________________________________________
*** CID 1195833: Unchecked return value (CHECKED_RETURN)
/fs.c: 175 in save_mount_subsys()
169 if ((controller = strchr(s, '='))) {
170 /* this is something like 'name=systemd' */
171 src = alloca(len+6);
172 /* so for controller we want 'systemd' */
173 controller++;
174 /* and for source we want "none,name=systemd" */
>>> CID 1195833: Unchecked return value (CHECKED_RETURN)
>>> Calling "snprintf" without checking return value (as is done elsewhere 13 out of 14 times).
175 snprintf(src, len+6, "none,%s", s);
176 } else {
177 controller = s;
178 src = s;
179 }
180
________________________________________________________________________________________________________
*** CID 1195834: Dereference before null check (REVERSE_INULL)
/fs.c: 1084 in get_child_directories()
1078 continue;
1079 if (used+1 >= alloced) {
1080 char **tmp;
1081 alloced += 5;
1082 tmp = nih_realloc(*output, parent, alloced * sizeof(char *));
1083 if (!tmp) {
>>> CID 1195834: Dereference before null check (REVERSE_INULL)
>>> Null-checking "*output" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1084 if (*output)
1085 nih_free(*output);
1086 output = NULL;
1087 nih_error("%s: Out of memory", __func__);
1088 closedir(d);
1089 return -1;
________________________________________________________________________________________________________
*** CID 1195837: Untrusted loop bound (TAINTED_SCALAR)
/cgmanager-proxy.c: 788 in get_tasks_main()
782 if (nrpids == 0) {
783 ret = 0;
784 goto out;
785 }
786
787 *pids = NIH_MUST( nih_alloc(parent, nrpids * sizeof(uint32_t)) );
>>> CID 1195837: Untrusted loop bound (TAINTED_SCALAR)
>>> Using tainted variable "nrpids" as a loop boundary.
788 for (i=0; i<nrpids; i++) {
789 get_scm_creds_sync(sv[0], &tcred);
790 if (tcred.pid == -1) {
791 nih_error("%s: Failed getting pid from server",
792 __func__);
793 goto out;
________________________________________________________________________________________________________
*** CID 1195836: Use of untrusted value (TAINTED_SCALAR)
/cgmanager-proxy.c: 869 in list_children_main()
863 goto out;
864 }
865 if (recv(sv[0], &len, sizeof(uint32_t), 0) != sizeof(uint32_t))
866 goto out;
867
868 paths = nih_alloc(NULL, len);
>>> CID 1195836: Use of untrusted value (TAINTED_SCALAR)
>>> Passing tainted variable "len" to a tainted sink.
869 if (read(sv[0], paths, len) != len) {
870 nih_error("%s: Failed getting paths from server", __func__);
871 goto out;
872 }
873
874 *output = NIH_MUST( nih_alloc(parent, sizeof( char*)*(nrkids+1)) );
/cgmanager-proxy.c: 877 in list_children_main()
871 goto out;
872 }
873
874 *output = NIH_MUST( nih_alloc(parent, sizeof( char*)*(nrkids+1)) );
875
876 s = paths;
>>> CID 1195836: Use of untrusted value (TAINTED_SCALAR)
>>> Using tainted variable "nrkids" as an index to pointer "*output".
877 (*output)[nrkids] = NULL;
878 for (i=0; i<nrkids; i++) {
879 (*output)[i] = NIH_MUST( nih_strdup(parent, s) );
880 s += strlen(s) + 1;
881 }
882 ret = nrkids;
________________________________________________________________________________________________________
*** CID 1195838: Time of check time of use (TOCTOU)
/fs.c: 401 in create_agent_symlinks()
395 if (ret < 0 || ret >= MAXPATHLEN) {
396 nih_error("path names too long");
397 return false;
398 }
399 nih_info("buf is %s", buf);
400 if (!file_exists(buf)) {
>>> CID 1195838: Time of check time of use (TOCTOU)
>>> Calling function "symlink" that uses ""/usr/local/sbin/cgm-release-agent"" after a check function. This can cause a time-of-check, time-of-use race condition.
401 if (symlink(AGENT, buf) < 0) {
402 nih_error("failed to create release agent for %s",
403 all_mounts[i].controller);
404 return false;
405 }
406 }
________________________________________________________________________________________________________
*** CID 1195832: Side effect in assertion (ASSERT_SIDE_EFFECT)
/cgmanager-client.c: 7590 in cgmanager_get_all_sync()
7584 dbus_message_iter_get_basic (&variter, &api_version);
7585
7586 dbus_message_iter_next (&variter);
7587
7588 (*properties)->api_version = api_version;
7589
>>> CID 1195832: Side effect in assertion (ASSERT_SIDE_EFFECT)
>>> Argument "++property_count" of nih_assert() has a side effect. The containing function might work differently in a non-debug build.
7590 nih_assert (++property_count);
7591 }
7592
7593 dbus_message_iter_next (&dictiter);
7594
7595 if (dbus_message_iter_get_arg_type (&dictiter) != DBUS_TYPE_INVALID) {
________________________________________________________________________________________________________
*** CID 1195831: Side effect in assertion (ASSERT_SIDE_EFFECT)
/cgmanager-client.c: 7415 in cgmanager_org_linuxcontainers_cgmanager0_0_get_all_notify()
7409 dbus_message_iter_get_basic (&variter, &api_version);
7410
7411 dbus_message_iter_next (&variter);
7412
7413 properties->api_version = api_version;
7414
>>> CID 1195831: Side effect in assertion (ASSERT_SIDE_EFFECT)
>>> Argument "++property_count" of nih_assert() has a side effect. The containing function might work differently in a non-debug build.
7415 nih_assert (++property_count);
7416 }
7417
7418 dbus_message_iter_next (&dictiter);
7419
7420 if (dbus_message_iter_get_arg_type (&dictiter) != DBUS_TYPE_INVALID) {
________________________________________________________________________________________________________
*** CID 1195835: String not null terminated (STRING_NULL)
/cgmanager-proxy.c: 880 in list_children_main()
874 *output = NIH_MUST( nih_alloc(parent, sizeof( char*)*(nrkids+1)) );
875
876 s = paths;
877 (*output)[nrkids] = NULL;
878 for (i=0; i<nrkids; i++) {
879 (*output)[i] = NIH_MUST( nih_strdup(parent, s) );
>>> CID 1195835: String not null terminated (STRING_NULL)
>>> Passing unterminated string "s" to "strlen", which expects a null-terminated string.
880 s += strlen(s) + 1;
881 }
882 ret = nrkids;
883 out:
884 close(sv[0]);
885 close(sv[1]);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1082?tab=Overview
To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py
More information about the cgmanager-devel
mailing list